Index: package-lock.json
===================================================================
--- package-lock.json	(revision 43954)
+++ package-lock.json	(working copy)
@@ -280,20 +280,20 @@
 			}
 		},
 		"@wordpress/block-library": {
-			"version": "2.2.8",
-			"resolved": "https://registry.npmjs.org/@wordpress/block-library/-/block-library-2.2.8.tgz",
-			"integrity": "sha512-86DiBPFQwGDWf/s4OwmTp2q+VoeNhmW1OQXu/on+c5MHgJh7W2uFasO4bhmz31+U9KwAFHQr3pCcxaasdP17vQ==",
+			"version": "2.2.9",
+			"resolved": "https://registry.npmjs.org/@wordpress/block-library/-/block-library-2.2.9.tgz",
+			"integrity": "sha512-Do/3f1S6uPOywSSiCyeLW6//DEIy7cAyBIdtxcl1CssfpwCPiDbXq5OpyRf94FKV4J1C0qwJfF604IdcsCmsjw==",
 			"requires": {
 				"@babel/runtime": "^7.0.0",
 				"@wordpress/autop": "^2.0.2",
 				"@wordpress/blob": "^2.1.0",
-				"@wordpress/blocks": "^6.0.2",
+				"@wordpress/blocks": "^6.0.3",
 				"@wordpress/components": "^7.0.3",
 				"@wordpress/compose": "^3.0.0",
 				"@wordpress/core-data": "^2.0.14",
 				"@wordpress/data": "^4.0.1",
 				"@wordpress/deprecated": "^2.0.3",
-				"@wordpress/editor": "^9.0.3",
+				"@wordpress/editor": "^9.0.4",
 				"@wordpress/element": "^2.1.8",
 				"@wordpress/html-entities": "^2.0.3",
 				"@wordpress/i18n": "^3.1.0",
@@ -309,28 +309,28 @@
 			}
 		},
 		"@wordpress/block-serialization-default-parser": {
-			"version": "2.0.0",
-			"resolved": "https://registry.npmjs.org/@wordpress/block-serialization-default-parser/-/block-serialization-default-parser-2.0.0.tgz",
-			"integrity": "sha512-WPQuQ2IsUOG9wMTst8CYW8c5NMM3iatTW2FinfZrHtH9R1g9qdQPt5Wv56U7eMeDACVOj35jG2oJtZCRaDyL7A==",
+			"version": "2.0.1",
+			"resolved": "https://registry.npmjs.org/@wordpress/block-serialization-default-parser/-/block-serialization-default-parser-2.0.1.tgz",
+			"integrity": "sha512-Wd4yC9NgakDv39bPskA56GSGprZ5kXuhDff3hLR2HpOYS2TPHgT06UsfVfO1tJBOxrqcS/AHVj7FEFZqyyKPNg==",
 			"requires": {
 				"@babel/runtime": "^7.0.0"
 			}
 		},
 		"@wordpress/block-serialization-spec-parser": {
-			"version": "2.0.0",
-			"resolved": "https://registry.npmjs.org/@wordpress/block-serialization-spec-parser/-/block-serialization-spec-parser-2.0.0.tgz",
-			"integrity": "sha512-l5N0o2Tkc4IcDhhMfX2W3KuEV/4F7TeitJEDtBpLYf7eRMIn3Uh6l5rPDmmuTDv7UFlMWTiA8z/oCpl13ZyBOw=="
+			"version": "2.0.1",
+			"resolved": "https://registry.npmjs.org/@wordpress/block-serialization-spec-parser/-/block-serialization-spec-parser-2.0.1.tgz",
+			"integrity": "sha512-9bhi2/hThAH8MbFAalI3UMZiKmUih8Az5ZFRzZy9E+EO4BYW479DFU5l/jSelDh3fPhsPza9UZ0so3IrqqoCzg=="
 		},
 		"@wordpress/blocks": {
-			"version": "6.0.2",
-			"resolved": "https://registry.npmjs.org/@wordpress/blocks/-/blocks-6.0.2.tgz",
-			"integrity": "sha512-Y9cIbxXnATT6NPBbT969awm/5iLL/fRYoQ2a0xoqqHdcI8kxPbMv2TdAE8RaM8eeYL17t6CmWdfP+jkAIVGMGg==",
+			"version": "6.0.3",
+			"resolved": "https://registry.npmjs.org/@wordpress/blocks/-/blocks-6.0.3.tgz",
+			"integrity": "sha512-jBk9xa87b9xgizVXBBnCYMDju0Q871JyeSCwJyUvd77flrym7BjfNIIWVnwOlLxUYc6BeHxZCAi+JzybHLlvFA==",
 			"requires": {
 				"@babel/runtime": "^7.0.0",
 				"@wordpress/autop": "^2.0.2",
 				"@wordpress/blob": "^2.1.0",
-				"@wordpress/block-serialization-default-parser": "^2.0.0",
-				"@wordpress/block-serialization-spec-parser": "^2.0.0",
+				"@wordpress/block-serialization-default-parser": "^2.0.1",
+				"@wordpress/block-serialization-spec-parser": "^2.0.1",
 				"@wordpress/data": "^4.0.1",
 				"@wordpress/dom": "^2.0.7",
 				"@wordpress/element": "^2.1.8",
@@ -470,22 +470,22 @@
 			}
 		},
 		"@wordpress/edit-post": {
-			"version": "3.1.3",
-			"resolved": "https://registry.npmjs.org/@wordpress/edit-post/-/edit-post-3.1.3.tgz",
-			"integrity": "sha512-bA9OIkzInCLvf2YB4b6H0Ubghmv+AjOrCpZcp/5sdWLAg7hE6ZzZZ5Pz/2o5bBd+mTkalALJFMxgy7DKvH3WgQ==",
+			"version": "3.1.4",
+			"resolved": "https://registry.npmjs.org/@wordpress/edit-post/-/edit-post-3.1.4.tgz",
+			"integrity": "sha512-xZZ1x+JfMLTgCZkkdaJeYdsdEVQ+MkbRtweSdqfm4p4zdyId8wTg/n/ccqAAhFnQjoTufEkkchzRmmnoHozrcg==",
 			"requires": {
 				"@babel/runtime": "^7.0.0",
 				"@wordpress/a11y": "^2.0.2",
 				"@wordpress/api-fetch": "^2.2.5",
-				"@wordpress/block-library": "^2.2.8",
-				"@wordpress/blocks": "^6.0.2",
+				"@wordpress/block-library": "^2.2.9",
+				"@wordpress/blocks": "^6.0.3",
 				"@wordpress/components": "^7.0.3",
 				"@wordpress/compose": "^3.0.0",
 				"@wordpress/core-data": "^2.0.14",
 				"@wordpress/data": "^4.0.1",
-				"@wordpress/editor": "^9.0.3",
+				"@wordpress/editor": "^9.0.4",
 				"@wordpress/element": "^2.1.8",
-				"@wordpress/format-library": "^1.2.6",
+				"@wordpress/format-library": "^1.2.7",
 				"@wordpress/hooks": "^2.0.3",
 				"@wordpress/i18n": "^3.1.0",
 				"@wordpress/keycodes": "^2.0.5",
@@ -499,15 +499,15 @@
 			}
 		},
 		"@wordpress/editor": {
-			"version": "9.0.3",
-			"resolved": "https://registry.npmjs.org/@wordpress/editor/-/editor-9.0.3.tgz",
-			"integrity": "sha512-Iz2B2JccsluiV0CdIkeH7sdl+3JcM7u9OqQSRC+0G2gfq8c09c98BE9myRUN16EVvL6zf025DzRU3hSx9r3AbQ==",
+			"version": "9.0.4",
+			"resolved": "https://registry.npmjs.org/@wordpress/editor/-/editor-9.0.4.tgz",
+			"integrity": "sha512-adLq0C0DZFz5R1TNzqRttmcEHXz9Nv4VIBxyqFQbubfMAzq6LKv44YxNw0t9Pg2cZQr4V5gbu214H/0C67PFTQ==",
 			"requires": {
 				"@babel/runtime": "^7.0.0",
 				"@wordpress/a11y": "^2.0.2",
 				"@wordpress/api-fetch": "^2.2.5",
 				"@wordpress/blob": "^2.1.0",
-				"@wordpress/blocks": "^6.0.2",
+				"@wordpress/blocks": "^6.0.3",
 				"@wordpress/components": "^7.0.3",
 				"@wordpress/compose": "^3.0.0",
 				"@wordpress/core-data": "^2.0.14",
@@ -597,14 +597,14 @@
 			}
 		},
 		"@wordpress/format-library": {
-			"version": "1.2.6",
-			"resolved": "https://registry.npmjs.org/@wordpress/format-library/-/format-library-1.2.6.tgz",
-			"integrity": "sha512-8GkrMRSZ287qotsYzJh0kzDRjDAYJLicwbSRSv4AR2+4dSW6ZX1CK2jt/ihxg5cbqxMitPPTqRA0PmUk+AtdDA==",
+			"version": "1.2.7",
+			"resolved": "https://registry.npmjs.org/@wordpress/format-library/-/format-library-1.2.7.tgz",
+			"integrity": "sha512-lVsltV1vS9BW+rHxb0ue+/z5ghvytAixVKCkwMaEEnc4qYYo4nzfsXTNCqpgxyQkpgH34j96psPD/34+os0ALg==",
 			"requires": {
 				"@babel/runtime": "^7.0.0",
 				"@wordpress/components": "^7.0.3",
 				"@wordpress/dom": "^2.0.7",
-				"@wordpress/editor": "^9.0.3",
+				"@wordpress/editor": "^9.0.4",
 				"@wordpress/element": "^2.1.8",
 				"@wordpress/i18n": "^3.1.0",
 				"@wordpress/keycodes": "^2.0.5",
Index: package.json
===================================================================
--- package.json	(revision 43954)
+++ package.json	(working copy)
@@ -55,9 +55,9 @@
 		"@wordpress/api-fetch": "^2.2.5",
 		"@wordpress/autop": "^2.0.2",
 		"@wordpress/blob": "^2.1.0",
-		"@wordpress/block-library": "^2.2.8",
-		"@wordpress/block-serialization-default-parser": "^2.0.0",
-		"@wordpress/blocks": "^6.0.2",
+		"@wordpress/block-library": "^2.2.9",
+		"@wordpress/block-serialization-default-parser": "^2.0.1",
+		"@wordpress/blocks": "^6.0.3",
 		"@wordpress/components": "^7.0.3",
 		"@wordpress/compose": "^3.0.0",
 		"@wordpress/core-data": "^2.0.14",
@@ -66,11 +66,11 @@
 		"@wordpress/deprecated": "^2.0.3",
 		"@wordpress/dom": "^2.0.7",
 		"@wordpress/dom-ready": "^2.0.2",
-		"@wordpress/edit-post": "^3.1.3",
-		"@wordpress/editor": "^9.0.3",
+		"@wordpress/edit-post": "^3.1.4",
+		"@wordpress/editor": "^9.0.4",
 		"@wordpress/element": "^2.1.8",
 		"@wordpress/escape-html": "^1.0.1",
-		"@wordpress/format-library": "^1.2.6",
+		"@wordpress/format-library": "^1.2.7",
 		"@wordpress/hooks": "^2.0.3",
 		"@wordpress/html-entities": "^2.0.3",
 		"@wordpress/i18n": "^3.1.0",
Index: src/wp-includes/class-wp-block-parser.php
===================================================================
--- src/wp-includes/class-wp-block-parser.php	(revision 43954)
+++ src/wp-includes/class-wp-block-parser.php	(working copy)
@@ -359,6 +359,7 @@
 	 *
 	 * @internal
 	 * @since 3.8.0
+	 * @since 4.6.1 fixed a bug in attribute parsing which caused catastrophic backtracking on invalid block comments
 	 * @return array
 	 */
 	function next_token() {
@@ -373,7 +374,7 @@
 		 * match back in PHP to see which one it was.
 		 */
 		$has_match = preg_match(
-			'/<!--\s+(?<closer>\/)?wp:(?<namespace>[a-z][a-z0-9_-]*\/)?(?<name>[a-z][a-z0-9_-]*)\s+(?<attrs>{(?:[^}]+|}+(?=})|(?!}\s+-->).)*?}\s+)?(?<void>\/)?-->/s',
+			'/<!--\s+(?<closer>\/)?wp:(?<namespace>[a-z][a-z0-9_-]*\/)?(?<name>[a-z][a-z0-9_-]*)\s+(?<attrs>{(?:(?:[^}]+|}+(?=})|(?!}\s+\/?-->).)*+)?}\s+)?(?<void>\/)?-->/s',
 			$this->document,
 			$matches,
 			PREG_OFFSET_CAPTURE,
@@ -380,6 +381,11 @@
 			$this->offset
 		);
 
+		// if we get here we probably have catastrophic backtracking or out-of-memory in the PCRE
+		if ( false === $has_match ) {
+			return array( 'no-more-tokens', null, null, null, null );
+		}
+
 		// we have no more tokens
 		if ( 0 === $has_match ) {
 			return array( 'no-more-tokens', null, null, null, null );
Index: src/wp-includes/script-loader.php
===================================================================
--- src/wp-includes/script-loader.php	(revision 43954)
+++ src/wp-includes/script-loader.php	(working copy)
@@ -212,9 +212,9 @@
 		'annotations' => '1.0.3',
 		'autop' => '2.0.2',
 		'blob' => '2.1.0',
-		'block-library' => '2.2.8',
-		'block-serialization-default-parser' => '2.0.0',
-		'blocks' => '6.0.2',
+		'block-library' => '2.2.9',
+		'block-serialization-default-parser' => '2.0.1',
+		'blocks' => '6.0.3',
 		'components' => '7.0.3',
 		'compose' => '3.0.0',
 		'core-data' => '2.0.14',
@@ -223,11 +223,11 @@
 		'deprecated' => '2.0.3',
 		'dom' => '2.0.7',
 		'dom-ready' => '2.0.2',
-		'edit-post' => '3.1.3',
-		'editor' => '9.0.3',
+		'edit-post' => '3.1.4',
+		'editor' => '9.0.4',
 		'element' => '2.1.8',
 		'escape-html' => '1.0.1',
-		'format-library' => '1.2.6',
+		'format-library' => '1.2.7',
 		'hooks' => '2.0.3',
 		'html-entities' => '2.0.3',
 		'i18n' => '3.1.0',